Iczelion''s PE tut 2 - Forums

Home » Forums » MAIN » Iczelion''s PE tut 2

Iczelion writes: "assume edi:ptr IMAGE_DOS_HEADER" could somebody tell me what exactly this is doing? like I know you can't use: "mov edi, offset IMAGE_DOS_HEADER" I tried and it doesn't work. I know I must be missing some very basic concept here but what is it?

Posted on 2001-04-13 20:16:00 by czDrillard

Iczelion''s PE tut 2

Hi there! This explanation won't be too technical..but i think it'll help :) The 'assume edi:ptr IMAGE_DOS_HEADER' gives you the opportunity to treat EDI as a 'holder' of a IMAGE_DOS_HEADER structure. Please don't misunderstand me here, this does not mean that the whole structure is inside the register, its like a pointer. So after the assume instruction you could do things like this: MOV EAX,.e_lfanew that will store in EAX the value of the e_lfanew member as you might have guessed :). Hope that helped. Ciao! Latigo

Posted on 2001-04-13 21:39:00 by latigo

Iczelion''s PE tut 2

Thanks Latigo, This is very helpful and now I see what ASSUME doing. Now only thing I need to complete my understanding: is there any other way in assembly to do what ASSUME does in this case? Like why can't I move the address of the structure into eax and use that as pointer?

Posted on 2001-04-13 22:27:00 by czDrillard

Iczelion''s PE tut 2

Although EAX wasn't used as a pointer, it doesn't mean it can't be. ASSUME is not a machine instruction--you must load the structure address into a register, EDI or EAX or whatever, with another instruction. Examples:


    mov   edi,offset structure
    lea   edi,structure
    mov   edi,    ; function argument

Instead of ASSUME EDI:xxxx, you could say ASSUME EAX:xxxx and use EAX.

Posted on 2001-04-14 01:12:00 by tank

Iczelion''s PE tut 2

czDrillard, From my experience, assume is quite usefull if you have alot of work to do with a structure, especially when the structure name is long! If you only need to modify one item in a structure, then the alternative (as you suggested) would most likely be best. Below is the earlier case of why TO use assume, as well as an the alternate syntax if you didnt. An example:


    HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL struc
       IsUsed       DWORD     <>
       IsAdjusting  DWORD     <>
       StartPoint   POINT     <>
       EndPoint     POINT     <>
       EndHandle    G_HANDLE  <>
       StartHandle  G_HANDLE  <> 
       RGB_COLOR    DWORD     ?
    HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL ends

Somewhere else in the code:


     ; ebx points to an instance of the structure somewhere in memory

     assume ebx:PTR HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL

     mov .IsUsed, TRUE
     mov .IsAdjusting, FALSE
     lea ecx, SomeAddress
     mov .StartPoint, ecx
     lea ecx, SomeOtherAddress
     mov .EndPoint, ecx
     mov .EndHandle, hWnd
     mov .StartHandle, hInstance

     ; All done with the 'dirty' work, so free ebx of its assumption
     assume ebx:NOTHING

The alternative to this would be:


mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).IsUsed, TRUE
mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).IsUsed, TRUE
mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).IsAdjusting, FALSE
lea ecx, SomeAddress
mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).StartPoint, ecx
lea ecx, SomeOtherAddress
mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).EndPoint, ecx
mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).EndHandle, hWnd
mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).StartHandle, hInstance

Dramatics asside, I think the point here is obvious :P BTW: Kool web page... NaN This message was edited by NaN, on 4/14/2001 2:04:10 AM

Posted on 2001-04-14 01:56:00 by NaN

Iczelion''s PE tut 2

NaN, If I don't like to ASSUME and just say

 
LEA ebx,HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL

     mov .IsUsed, TRUE
     mov .IsAdjusting, FALSE
     lea ecx, SomeAddress
     mov .StartPoint, ecx
     lea ecx, SomeOtherAddress
     mov .EndPoint, ecx
     mov .EndHandle, hWnd
     mov .StartHandle, hInstance

Am I wrong ??? forge

Posted on 2001-04-14 06:04:00 by forge

Iczelion''s PE tut 2

I've never tried, but as im reading it i would say yes. Your asking to CPU load into ebx the effective address of a non-instanciated stucture. My reasoning is this, if i decalaired:


.data?

  MemA HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL <>
  MemB HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL <>

.code
  ...
  lea ebx, HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL
  mov .IsUsed, TRUE
  mov .IsAdjusting, FALSE

  etc...

How would the CPU be able to understand what my intentions were, should it be filling the memory at MemA, or MemB?? HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL is just a structure that the assembler uses to properly index to the right data fields, when a varible is defined as this. By using the structure as a template, and telling the compiler that ebx is a pointer to a varible created by this template, the operations will be translated to something like this (may be a bit different): Uncompiled Code:


     assume ebx:PTR HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL
     mov .IsUsed, TRUE
     mov .IsAdjusting, FALSE
     etc...
     assume ebx:NOTHING

Compiled Code:


     mov , 1
     mov , 0
     etc...

Again, i didnt actually decompile to check, but im pretty sure this is what goes on, or at least something to this nature. NaN

Posted on 2001-04-14 11:19:00 by NaN

Iczelion''s PE tut 2

Thanx people for all your input. This has been most helpful to me and it shows what a great forum we got here.

Posted on 2001-04-14 16:29:00 by czDrillard

ASM Community